[Aut•ono•mous]

How to hack hotspot login credentials.

Code:

A big issue a few years back had to do with dial-related fraud in Russia.  Basically, usernames and passwords to dial accounts were being bought and sold on the black market and the owner's of the stolen credentials were being hit with enormous usage charges.  In actuality, this still takes place.  With the onset of Public Wi-Fi locations, the threat of fraud and misuse has also moved to the stealing of wireless subscription credentials.



An easy and inexpensive method to steal wireless subscription credentials is by AP Phishing.  As it stands today, the only real methods a typical end-user has to determine if a wireless access point is valid is by recognizing the SSID and ascertaining if the site has the look and feel of the real public Wi-Fi hotspot login page.  Unfortunately for the end-user, both of these can be easily spoofed. Here's how it's done and no, you won't have to carry a wireless access point around to do this.

Now performing this technique requires two steps:

• Setting up your computer so it'll look like an actual access point broadcasting the appropriate SSID (T-Mobile, Wayport, etc.)
  
• Having the walled-garden, or login page that your computer will display look like the real login page of the provider whose signal you are broadcasting
  

It's not hard to make your computer broadcast the SSID of your choice, in an attempt to get a person to connect to you instead of a valid Wi-Fi hotspot SSID. The problem with the ‘easy way' is that the potential victim sees that this is an Ad-Hoc network and most people these days know not to connect to these. So, we employ the use of Airsnarf by the Schmoo Group to make this signal look like it's coming from an Access Point. Essentially, we will be turning the laptop into an Access Point.

The most difficult part of using Airsnarf and other HostAP-reliant programs is finding a card that supports the HostAP drivers. Personally, I use the Senao NL-2511CD PLUS EXT2 200mw PCMCIA Wi-Fi with a Rover Portable Laptop Mount 2.4GHz 5.5dBi Antenna. Both of these can be purchased from http://www.wlanparts.com/ (Thanks to Tom's Networking for detailing this hardware info a while back).



Airsnarf consists of a number of configurable files that control how it operates.



airsnarf.cfg file used to configure basic Airsnarf functionality



airsnarf.cgi file



With Airnsnarf configured with default settings, it will display a default login page that looks like the following:







This default page will take the username and password that is entered and dumped into a file where it can be read.



To make this attack really work, this login page needs to be modified to look just like a real Wi-Fi hotspot provider's login. Depending upon your HTML skills, you can either get real fancy or just stick to basics. For this proof of concept, I'm going to keep it very simple. Of course, it wouldn't be difficult to go to a T-Mobile, Wayport, STSN, Concourse or any other hotspot provider's site and essentially copy-and-paste their graphics to make the login page look just like theirs.



Once Airsnarf is configured and the customer Login page is created, the attack can be launched. Any airport, coffee shop, or other public area where people utilize their laptops will work. To launch the attack, activate Airsnarf by typing the ./airsnarf command. Below is an example of what you'll see when the attack is launched.







Airsnarf being launched and waiting for a connection



An end-user attempting to connect to the hotspot will see the SSID that was entered into the airsnarf.cfg file and use their computer to connect to that network. Upon launching their browser, they will be prompted to enter their username and password.







Windows Zero Config showing the T-Mobile HotSpot being broadcast by Airsnarf







Fake Walled Garden/Login Page presented by Airsnarf



Once the user enters their credentials and hits the Login button, their credentials have been compromised and can be used by the person with ill-intent. This could be only the beginning, though. Commonly, users will utilize the same username and password for many different accounts/websites. Consequently, the username and password that were just grabbed may enable a hacker to access the user's e-mail, online banking, etc.







Example of credentials entered into Airsnarf AP Phishing Site and dumped to a file



Another variation of this above trick is to change the SSID to something like "Free Public Wi-Fi," at which point, you can change the login page to something creative, such as the following:







Without question, there will be users that will fall for this trick and you now have access to their e-mail.



Malicious Websites and Browser Exploits



Given the knowledge of the aforementioned exploits, a creative combination could be had. What if the walled garden/login page in the previous exploit actually contained code that would exploit a user's machine? That way an attacker could gain access to an end-user system just by that user attempting to connect to what they believe is a valid Wi-Fi hotspot. An exploit that could take advantage of this is Microsoft's relatively recent Create Text Range vulnerability. All a hacker would need to do is copy the malicious code into the login page and every person who connected to that hotspot could potentially be exploited.







Part of the actual code that could be inserted into a webpage to automatically download and run a malicious executable on the victim's machine just by that user viewing the webpage.



That would be "cool," but we're going to take it a step further. What if people who were currently connected to the hotspot were "forced" to view a malicious page, regardless of the URL they entered into their browser? That would be "cooler!"

This hack contains the following steps:



Creating a malicious webpage and serving-it-up on a laptop
Redirecting traffic at a Public Wi-Fi Hotspot to that malicious webpage running on the laptop
As the victim is redirected and the malicious page is viewed, a browser-based exploit is run which gives the hacker a live command shell (c:\) on the victim's machine


So, the hacker goes to a Public Wi-Fi hotspot and connects to the network. He then launches Metasploit to create the malicious webpage and serve-it-up.







Commands to use Microsoft's Create Text Range vulnerability and to select the option of creating a reverse shell back to the hacker once the exploit is executed







The setting of various options for the exploit







With all options set properly, the web page is served-up and ready to exploit the machine by running the "exploit" command



Now that there's a machine on the hotspot network running a malicious webpage, it's necessary to redirect traffic destined for the Internet to that website.







Run the arpspoof command to redirect traffic destined for the Internet to the malicious webpage.







Running dnsspoof, you can see that a user attempted to go to foxnews.com but was redirected to the malicious webpage.







This is the page that contains the malicious content that will enable a hacker to connect to the victim machine via Netcat. This page appears regardless of the URL entered by the end-user. This page could look like and say anything.







The hacker then launches Netcat. The C:\ is on the victim's machine which is real bad news for the victim. FYI - Windows XP Firewall and Symantec AV were running the entire time.



If you didn't want to go to a public Wi-Fi hotspot and serve-up the webpage, you could just host the website somewhere and send out e-mails trying to convince people to go to the site. With Metasploit, for example, the payload doesn't have to be a reverse shell, you can have the malicious webpage download and execute a malicious file. Perhaps that malicious file would install a Trojan, Keylogger, or other Malware.







Examples of possible Metasploit Payloads for ie_createtextrange exploit.

Original